I have this filter:
SecFilter "[^-a-z0-9\._]cd[^+]"
It's matching this /index.htm?page=3DWebMailf+cd+ but it shouldn't. Can =
anyone tell me why it's doing this? When I test this in perl it does not =
match.

Gerwin Krist -|- Digitalus Webhosting wrote:
> Hello guys,
>
> I want the following filter but i can't figger it out exactly.
> I want to check ARGS if there is http:// in it AND .txt OR.jpg OR .gif.
> so it should match on all:
> id=http://www.ddddd.br/dc.jpg
> id=http://www.ddddd.br/dc.txt
> id=http://www.ddddd.br/dc.jpg
>
> What should be the filter code to use?
Try something like this:
SecFilterSelective ARGS "(http:/).+(\.txt|\.jpg|\.gif)"
^1 ^2
1. Anti-evasion techniques mod_security uses will compress multiple
forward slash characters to only one.
2. Because the dot character has a special meaning in regular
expressions you will want to escape it to neutralise it.
--
ModSecurity (http://www.modsecurity.org)
[ Open source IDS for Web applications ]